04/27/2022 11:22:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106679803 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: REED_SCHMIDT Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\REED_SCHMIDT Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 59633 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 10:33:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106676187 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: PC-DEMO$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\PC-DEMO$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 59022 Additional Information: Ticket Options: 0x40800010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 10:31:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4741 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=2106676096 Keywords=Audit Success Message=A computer account was created. Subject: Security ID: ATTACKRANGE\REED_SCHMIDT Account Name: REED_SCHMIDT Account Domain: ATTACKRANGE Logon ID: 0x2B0BB384 New Computer Account: Security ID: ATTACKRANGE\PC-DEMO$ Account Name: PC-DEMO$ Account Domain: ATTACKRANGE Attributes: SAM Account Name: PC-DEMO$ Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 4/27/2022 10:31:58 PM Account Expires: Primary Group ID: 515 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x80 User Account Control: 'Workstation Trust Account' - Enabled User Parameters: - SID History: - Logon Hours: DNS Host Name: PC-DEMO.attackrange.local Service Principal Names: HOST/PC-DEMO.attackrange.local RestrictedKrbHost/PC-DEMO.attackrange.local HOST/PC-DEMO RestrictedKrbHost/PC-DEMO Additional Information: Privileges SeMachineAccountPrivilege 04/27/2022 10:31:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106676092 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: REED_SCHMIDT Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\REED_SCHMIDT Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 58990 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 10:27:52 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106675793 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: REED_SCHMIDT Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\REED_SCHMIDT Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 58928 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 09:45:15 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106672862 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: REED_SCHMIDT Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\REED_SCHMIDT Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 58393 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 04:31:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106650090 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-987$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-987$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 54471 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 04:19:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106649265 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-128$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-128$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 04:19:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106649253 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-128$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-128$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 08:31:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106615412 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-987$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-987$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 64830 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 08:19:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106614575 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-128$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-128$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 08:19:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106614563 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-128$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-128$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 12:31:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106580685 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-987$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-987$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 58811 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 12:19:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106579860 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-128$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-128$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 12:19:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106579848 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-128$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-128$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 04/27/2022 10:33:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=6660976 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x22E0D72B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {173EE619-4496-46E0-ED14-311C1839618D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 127.0.0.1 Source Port: 59026 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.