10/09/2020 09:33:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223463 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223462 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=223461 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 09:33:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223464 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ec New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223474 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Security State Change OpCode=Info RecordNumber=223473 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223472 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x254 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223471 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x254 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223470 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a8 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223469 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x25c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223468 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x208 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223467 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223466 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x210 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x208 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223465 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223492 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223491 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223490 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223488 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223487 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223486 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223485 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223484 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58ABD Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223483 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58AAA Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223482 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58ABD Linked Logon ID: 0x58AAA Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223481 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58AAA Linked Logon ID: 0x58ABD Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223480 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2a8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223479 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223478 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223477 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223476 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Audit Policy Change OpCode=Info RecordNumber=223475 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x51DB0 10/09/2020 09:33:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Other System Events OpCode=Info RecordNumber=223495 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 09:33:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223494 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:33:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223493 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223502 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x61183 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223501 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:33:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223500 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223499 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:33:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223498 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223497 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:33:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223496 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:33:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Other System Events OpCode=Info RecordNumber=223503 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 09:34:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Security State Change OpCode=Info RecordNumber=223507 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0xa6c Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎10‎-‎09T09:34:16.970302500Z New Time: ‎2020‎-‎10‎-‎09T09:34:16.966000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 09:34:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=User Account Management OpCode=Info RecordNumber=223506 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-V5DC57V 10/09/2020 09:34:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=User Account Management OpCode=Info RecordNumber=223505 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-V5DC57V Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 9:34:16 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x14 User Account Control: 'Password Not Required' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 09:34:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=User Account Management OpCode=Info RecordNumber=223504 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-V5DC57V Process Information: Process ID: 0xa18 Process Name: C:\Windows\System32\net1.exe 10/09/2020 09:34:23 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Service shutdown OpCode=Info RecordNumber=223508 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 09:35:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223511 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223510 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x190 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=223509 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223524 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223523 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=223522 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x555C 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223521 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security State Change OpCode=Info RecordNumber=223520 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223519 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223518 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223517 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223516 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223515 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x234 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223514 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x22c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223513 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223512 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223539 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223538 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223537 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223536 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223535 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223534 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223533 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223532 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223531 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0C2 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223530 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA09A Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223529 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0C2 Linked Logon ID: 0xA09A Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223528 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA09A Linked Logon ID: 0xA0C2 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223527 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223526 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 09:35:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223525 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security State Change OpCode=Info RecordNumber=223540 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0x44c Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎10‎-‎09T09:35:38.479973000Z New Time: ‎2020‎-‎10‎-‎09T09:35:38.469000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223623 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223622 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223621 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223620 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Domain Users Account Domain: EC2AMAZ-DDIKSBP Old Account Name: None New Account Name: None Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223619 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223618 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223617 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223616 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223615 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223614 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 9:34:16 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223613 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 9:34:16 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223612 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223611 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\System Managed Group Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223610 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223609 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223608 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Storage Replica Administrators Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223607 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223606 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223605 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Management Users Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223604 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223603 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223602 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Access Control Assistance Operators Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223601 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223600 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223599 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Hyper-V Administrators Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223598 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223597 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223596 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Management Servers Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223595 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223594 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223593 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Endpoint Servers Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223592 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223591 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223590 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Remote Access Servers Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223589 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223588 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223587 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Certificate Service DCOM Access Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223586 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223585 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223584 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Event Log Readers Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223583 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223582 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223581 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Cryptographic Operators Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223580 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223579 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223578 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\IIS_IUSRS Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223577 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223576 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223575 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Distributed COM Users Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223574 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223573 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223572 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Log Users Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223571 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223570 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223569 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Monitor Users Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223568 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223567 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223566 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: NONE_MAPPED Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223565 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223564 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223563 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Network Configuration Operators Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223562 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223561 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223560 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Desktop Users Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223559 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223558 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223557 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Replicator Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223556 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223555 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223554 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Backup Operators Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223553 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223552 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223551 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Guests Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223550 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223549 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223548 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Users Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223547 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223546 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223545 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Administrators Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223544 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223543 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223542 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Print Operators Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: - 10/09/2020 09:35:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223541 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 09:35:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223632 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223631 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223630 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223629 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223628 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223627 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223626 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:35:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223625 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:35:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223624 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 09:35:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223641 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223640 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223639 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3d8 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:35:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223638 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3d8 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:35:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223637 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3d8 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:35:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223636 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 09:35:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223635 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1CD89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223634 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223633 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:35:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=System Integrity OpCode=Info RecordNumber=223645 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:35:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223644 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:35:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=System Integrity OpCode=Info RecordNumber=223643 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 09:35:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223642 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 09:35:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223647 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:35:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223646 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223649 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223648 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223655 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP 10/09/2020 09:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223654 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 9:36:03 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x10 User Account Control: 'Password Not Required' - Disabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 09:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223653 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0xca8 Process Name: C:\Windows\System32\net1.exe 10/09/2020 09:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223652 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0xbc8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 09:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223651 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0xbc8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 09:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223650 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0xbc8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 09:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223662 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x70E71 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 09:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223661 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x70E71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa14 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 09:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223660 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa14 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 09:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223659 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 09:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223658 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0xbc8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 09:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223657 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0xbc8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 09:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223656 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0xbc8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 09:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223663 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3d8 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 09:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security State Change OpCode=Info RecordNumber=223665 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4bc Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎10‎-‎09T09:36:17.602283700Z New Time: ‎2020‎-‎10‎-‎09T09:36:17.590000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 09:36:17 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Service shutdown OpCode=Info RecordNumber=223664 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 10:27:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223667 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=223666 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 10:27:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223668 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223670 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223669 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223676 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x39c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x31c Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223675 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x38c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x31c Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223674 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2f8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223673 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223672 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x304 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2f8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Process Creation OpCode=Info RecordNumber=223671 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2f8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:27:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223683 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 10:27:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223682 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223681 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:27:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223680 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=223679 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x70F8 10/09/2020 10:27:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223678 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security State Change OpCode=Info RecordNumber=223677 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223703 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223702 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223701 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223700 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223699 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223698 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223697 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223696 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223695 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223694 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x107AC Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223693 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10789 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223692 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x107AC Linked Logon ID: 0x10789 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223691 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10789 Linked Logon ID: 0x107AC Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223690 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223689 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223688 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223687 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223686 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223685 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:27:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223684 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:27:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223709 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:27:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223708 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:27:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223707 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 10:27:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223706 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:27:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223705 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:27:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223704 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1731B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223711 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223710 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223713 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223712 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223719 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP 10/09/2020 10:28:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223718 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 10:28:31 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 10:28:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223717 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0xfcc Process Name: C:\Windows\System32\net1.exe 10/09/2020 10:28:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223716 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0x690 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 10:28:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223715 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0x690 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 10:28:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223714 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0x690 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 10:28:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223727 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223726 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223725 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223724 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223723 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223722 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0x690 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 10:28:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223721 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0x690 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 10:28:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223720 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0x690 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 10:28:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223731 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP 10/09/2020 10:28:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223730 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 10:28:35 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 10:28:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223729 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0x0 Process Name: - 10/09/2020 10:28:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=User Account Management OpCode=Info RecordNumber=223728 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Process Information: Process ID: 0x0 Process Name: - 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=System Integrity OpCode=Info RecordNumber=223741 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223740 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 19f9ca6fa563fb0e87d5779c3e139544_733ee690-b6b1-4555-8fb2-4f93dcfad825 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\19f9ca6fa563fb0e87d5779c3e139544_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=System Integrity OpCode=Info RecordNumber=223739 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223738 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\19f9ca6fa563fb0e87d5779c3e139544_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=System Integrity OpCode=Info RecordNumber=223737 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223736 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\19f9ca6fa563fb0e87d5779c3e139544_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=System Integrity OpCode=Info RecordNumber=223735 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223734 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\19f9ca6fa563fb0e87d5779c3e139544_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=System Integrity OpCode=Info RecordNumber=223733 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Other System Events OpCode=Info RecordNumber=223732 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x6AA99 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\19f9ca6fa563fb0e87d5779c3e139544_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 10:28:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223743 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223742 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223817 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7DCF8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223816 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7DCF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223815 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223814 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223813 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7DBF4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223812 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7DBF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223811 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223810 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223809 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223808 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B92D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223807 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7D66E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223806 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7D66E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223805 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223804 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223803 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7D634 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223802 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7C194 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223801 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7D634 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223800 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7D634 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223799 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223798 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223797 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7D5F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223796 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7D5F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223795 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7D5F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223794 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223793 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223792 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7C258 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223791 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7C258 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223790 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7C258 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223789 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223788 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223787 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7C194 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223786 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7C194 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223785 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223784 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223783 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223782 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B01C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223781 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B92D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223780 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B92D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223779 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223778 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223777 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B8F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223776 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B56C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223775 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B8F1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223774 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B8F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223773 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223772 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223771 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B8BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223770 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B8BD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223769 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B8BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223768 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223767 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223766 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B7D6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223765 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B7D6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223764 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B7D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223763 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223762 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223761 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B56C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223760 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B56C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223759 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223758 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223757 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223756 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B01C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223755 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7B01C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223754 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223753 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223752 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7AF46 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223751 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7AF46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223750 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223749 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223748 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223747 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7A92D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223746 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7A92D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223745 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223744 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223903 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x821A3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223902 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x821A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223901 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223900 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223899 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x820A2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223898 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x820A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223897 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223896 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223895 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223894 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7FF60 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223893 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x81B49 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223892 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x81B49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223891 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223890 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223889 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x81B12 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223888 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x804AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223887 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x81B12 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223886 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x81B12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223885 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223884 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223883 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x81AE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223882 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x81AE1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223881 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x81AE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223880 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223879 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223878 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x805A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223877 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x805A3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223876 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x805A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223875 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223874 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223873 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x804AC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223872 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x804AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223871 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223870 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223869 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223868 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7FA71 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223867 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7FF60 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223866 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7FF60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223865 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223864 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223863 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7FF27 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223862 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7FF27 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223861 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7FF27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223860 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223859 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223858 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223857 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7FA71 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223856 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7FA71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223855 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223854 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223853 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F781 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223852 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F999 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223851 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F999 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223850 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223849 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223848 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F968 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223847 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F968 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223846 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F968 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223845 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223844 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223843 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F89F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223842 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F89F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223841 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F89F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223840 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223839 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223838 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F781 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223837 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F781 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223836 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223835 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223834 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223833 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F233 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223832 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F233 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223831 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223830 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223829 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7AF46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223828 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7DBF4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223827 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F1FA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223826 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F1FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223825 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223824 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223823 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F1C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223822 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F1C9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223821 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7F1C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223820 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223819 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223818 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x7DCF8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223914 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x820A2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223913 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x832E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223912 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x832E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223911 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223910 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223909 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x832AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223908 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x832AC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223907 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x832AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223906 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223905 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223904 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x821A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223931 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x859DD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223930 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x859DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223929 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223928 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223927 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x83D5A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223926 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x83D5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223925 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223924 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223923 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x83C26 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223922 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x83C26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223921 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223920 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223919 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223918 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x83760 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223917 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x83760 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223916 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223915 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223935 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x863B9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223934 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x863B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223933 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223932 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:28:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223936 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x83760 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xfa4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223967 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x981CF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223966 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x981CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223965 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223964 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223963 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x9654C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223962 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x9654C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223961 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223960 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223959 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x96452 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223958 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x96452 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223957 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223956 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223955 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223954 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x95DA0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223953 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x95DA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223952 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223951 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223950 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x95CBB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223949 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x83C26 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223948 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x95CBB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223947 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x95CBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223946 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223945 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223944 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x95C87 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223943 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x95C87 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223942 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x95C87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223941 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223940 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223939 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x863B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223938 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x859DD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223937 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x83D5A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223999 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99A9A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223998 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99A9A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223997 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223996 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223995 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99996 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223994 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99996 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223993 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223992 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=223991 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223990 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x994E2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223989 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x994E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223988 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223987 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223986 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x95DA0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223985 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99403 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223984 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x96452 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223983 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99403 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223982 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99403 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223981 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223980 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223979 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x993D2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223978 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x993D2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223977 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x993D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223976 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223975 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223974 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99153 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223973 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x981CF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=223972 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x9654C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=223971 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99153 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223970 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99153 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=223969 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=223968 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224007 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x9C285 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224006 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x9C285 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224005 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224004 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224003 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x9B64E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224002 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x9B64E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224001 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224000 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224012 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xA5CB0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224011 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xA5CB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224010 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224009 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224008 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x9C285 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224024 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224023 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224022 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224021 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224020 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224019 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224018 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224017 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224016 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224015 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224014 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224013 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224052 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBA6C3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224051 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBA6C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224050 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224049 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224048 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBA5BB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224047 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBA5BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224046 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224045 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224044 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224043 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xB9F6E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224042 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xB9F6E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224041 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224040 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224039 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x994E2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224038 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xB9E84 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224037 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99996 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224036 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xB9E84 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224035 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xB9E84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224034 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224033 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224032 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xB9E47 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224031 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xB9E47 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224030 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xB9E47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224029 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224028 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224027 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xA5CB0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224026 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x9B64E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224025 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0x99A9A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224060 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBCFBB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224059 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBCFBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224058 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224057 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224056 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBC31C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224055 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBC31C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224054 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224053 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224092 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBFBD2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224091 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBFBD2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224090 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224089 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224088 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBDFCC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224087 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBDFCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224086 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224085 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224084 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBDED2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224083 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBDED2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224082 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224081 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224080 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224079 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBD9E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224078 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBD9E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224077 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224076 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224075 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xB9F6E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224074 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBD8F3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224073 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBA5BB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224072 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBD8F3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224071 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBD8F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224070 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224069 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224068 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBD8C2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224067 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBD8C2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224066 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBD8C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224065 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224064 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224063 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBCFBB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224062 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBC31C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224061 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBA6C3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224124 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC161D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224123 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC161D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224122 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224121 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224120 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC1529 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224119 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC1529 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224118 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224117 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Security Group Management OpCode=Info RecordNumber=224116 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x41c Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224115 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC105C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224114 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC105C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224113 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224112 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224111 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBD9E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224110 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC0F7D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224109 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBDED2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224108 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC0F7D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224107 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC0F7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224106 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224105 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224104 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC0F4C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224103 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC0F4C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224102 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC0F4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224101 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224100 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224099 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC0955 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224098 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBFBD2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224097 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xBDFCC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224096 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC0955 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224095 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC0955 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224094 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224093 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224161 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC61F4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224160 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC61F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224159 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224158 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224157 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC4E8D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224156 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC4E8D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224155 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC4E8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224154 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224153 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224152 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC4DA2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224151 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC4DA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224150 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224149 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224148 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC4A3E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224147 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC4A3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224146 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224145 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224144 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC49F9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224143 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC49F9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224142 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC49F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224141 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224140 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224139 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC2ACF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224138 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC2ACF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224137 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC2ACF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224136 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224135 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224134 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC2A0A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224133 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC2A0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224132 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224131 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224130 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC29D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224129 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC29D9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224128 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC29D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224127 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224126 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224125 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC161D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224196 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_3e33901162166ae9.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224195 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224194 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86__676bbe2c7241b694.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224193 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_system_tools_fde5decba5bb578b.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224192 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224191 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224190 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224189 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224188 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224187 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_elambkup_0bc02aa0c28485f3.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224186 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224185 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224184 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224183 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224182 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224181 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224180 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224179 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC7D28 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224178 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC7D28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224177 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224176 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224175 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC6721 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224174 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC6721 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224173 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC6721 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224172 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224171 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224170 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC662F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224169 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC662F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224168 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224167 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Special Logon OpCode=Info RecordNumber=224166 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC62B7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224165 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC62B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DDIKSBP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logon OpCode=Info RecordNumber=224164 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DDIKSBP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x55c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Credential Validation OpCode=Info RecordNumber=224163 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DDIKSBP Error Code: 0x0 10/09/2020 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Logoff OpCode=Info RecordNumber=224162 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DDIKSBP Logon ID: 0xC61F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:29:48 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-DDIKSBP TaskCategory=Service shutdown OpCode=Info RecordNumber=224197 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 10:30:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224199 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=224198 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224206 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x308 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224205 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224204 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c8 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x278 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224203 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224202 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x278 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224201 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x278 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224200 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224231 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224230 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Other System Events OpCode=Info RecordNumber=224229 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224228 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224227 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224226 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224225 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224224 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224223 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224222 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224221 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224220 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA486 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224219 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA457 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224218 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA486 Linked Logon ID: 0xA457 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224217 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA457 Linked Logon ID: 0xA486 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224216 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224215 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224214 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224213 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224212 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224211 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5526 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224210 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Security State Change OpCode=Info RecordNumber=224209 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224208 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Process Creation OpCode=Info RecordNumber=224207 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x350 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=System Integrity OpCode=Info RecordNumber=224245 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Other System Events OpCode=Info RecordNumber=224244 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=System Integrity OpCode=Info RecordNumber=224243 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Other System Events OpCode=Info RecordNumber=224242 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Other System Events OpCode=Info RecordNumber=224241 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Security Group Management OpCode=Info RecordNumber=224240 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Security Group Management OpCode=Info RecordNumber=224239 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224238 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x14046 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Security Group Management OpCode=Info RecordNumber=224237 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Security Group Management OpCode=Info RecordNumber=224236 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224235 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224234 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224233 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224232 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224260 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2952E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224259 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2952E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224258 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224257 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224256 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x294B8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224255 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x294B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224254 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224253 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Security Group Management OpCode=Info RecordNumber=224252 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224251 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x28D80 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224250 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x28D80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224249 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224248 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=System Integrity OpCode=Info RecordNumber=224247 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-bf7f9859-d327-44f3-b3c2-e2bab47e3ca1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 10:30:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Other System Events OpCode=Info RecordNumber=224246 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 19f9ca6fa563fb0e87d5779c3e139544_733ee690-b6b1-4555-8fb2-4f93dcfad825 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\19f9ca6fa563fb0e87d5779c3e139544_733ee690-b6b1-4555-8fb2-4f93dcfad825 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224278 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2AAB4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224277 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2AAB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224276 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224275 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224274 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2AA1D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224273 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2AA1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224272 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224271 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224270 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2A7BF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224269 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2A7BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224268 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224267 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logoff OpCode=Info RecordNumber=224266 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2A77C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224265 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2A77C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224264 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2A77C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224263 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224262 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logoff OpCode=Info RecordNumber=224261 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2952E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logoff OpCode=Info RecordNumber=224291 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2A7BF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logoff OpCode=Info RecordNumber=224290 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B665 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logoff OpCode=Info RecordNumber=224289 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2AA1D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224288 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B665 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224287 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B665 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224286 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224285 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logoff OpCode=Info RecordNumber=224284 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B634 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224283 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B634 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224282 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B634 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224281 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224280 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logoff OpCode=Info RecordNumber=224279 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2AAB4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224307 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2CD99 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224306 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2CD99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224305 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224304 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224303 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B9AD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224302 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B9AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224301 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224300 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224299 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B90D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224298 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B90D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224297 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224296 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224295 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B6AF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224294 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2B6AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224293 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224292 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Special Logon OpCode=Info RecordNumber=224311 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2D17C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 10:30:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224310 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-7216619 Logon ID: 0x2D17C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-7216619 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 10:30:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Logon OpCode=Info RecordNumber=224309 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-7216619 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 10:30:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Credential Validation OpCode=Info RecordNumber=224308 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-7216619 Error Code: 0x0 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224471 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneUnsign_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224470 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransferPolicy_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224469 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransfer_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224468 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneSign_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224467 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneScope_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224466 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneKeyMasterRole_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224465 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneDelegation_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224464 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneAging_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224463 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZone_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224462 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerVirtualizationInstance_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224461 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustPoint_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224460 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustAnchor_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224459 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStubZone_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224458 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStatistics_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224457 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKeyRollover_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224456 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKey_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224455 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSetting_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224454 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSecondaryZone_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224453 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerScavenging_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224452 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRootHint_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224451 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimitingExceptionlist_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224450 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimiting_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224449 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordPTR_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224448 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordMX_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224447 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDS_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224446 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDnsKey_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224445 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordCNAME_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224444 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAging_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224443 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAAAA_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224442 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordA_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224441 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecord_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224440 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursionScope_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224439 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursion_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224438 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerQueryResolutionPolicy_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224437 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPrimaryZone_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224436 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPolicy_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224435 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerKeyStorageProvider_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224434 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalQueryBlockList_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224433 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalNameZone_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224432 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerForwarder_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224431 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerEdns_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224430 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDsSetting_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224429 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecZoneSetting_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224428 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecPublicKey_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224427 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDirectoryPartition_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224426 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDiagnostics_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224425 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerConditionalForwarder_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224424 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerClientSubnet_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224423 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerCache_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224422 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServer_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224421 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Types.ps1xml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224420 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Format.ps1xml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224419 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServer.psd1 Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224418 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dnsperf.dll Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224417 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneUnsign_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224416 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransferPolicy_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224415 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransfer_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224414 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneSign_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224413 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneScope_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224412 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneKeyMasterRole_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224411 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneDelegation_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224410 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneAging_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224409 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZone_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224408 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerVirtualizationInstance_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224407 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustPoint_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224406 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustAnchor_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224405 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStubZone_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224404 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStatistics_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224403 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKeyRollover_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224402 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKey_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224401 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSetting_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224400 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSecondaryZone_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224399 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerScavenging_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224398 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRootHint_v1.0.0.cdxml Handle ID: 0x314 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224397 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimitingExceptionlist_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224396 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimiting_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224395 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordPTR_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224394 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordMX_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224393 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDS_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224392 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDnsKey_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224391 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordCNAME_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224390 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAging_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224389 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAAAA_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224388 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordA_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224387 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecord_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224386 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursionScope_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224385 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursion_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224384 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerQueryResolutionPolicy_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224383 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPrimaryZone_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224382 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPolicy_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224381 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerKeyStorageProvider_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224380 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalQueryBlockList_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224379 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalNameZone_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224378 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerForwarder_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224377 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerEdns_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224376 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDsSetting_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224375 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecZoneSetting_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224374 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecPublicKey_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224373 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDirectoryPartition_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224372 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDiagnostics_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224371 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerConditionalForwarder_v1.0.0.cdxml Handle ID: 0x4fc Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224370 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerClientSubnet_v1.0.0.cdxml Handle ID: 0x4ac Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224369 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerCache_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xf9c Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 10:30:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-7216619 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224368 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-7216619$ Account Domain: WORKGROUP