| Message | Id | Version | Qualifiers | Level | Task | Opcode | Keywords | RecordId | ProviderName | ProviderId | LogName | ProcessId | ThreadId | MachineName | UserId | TimeCreated | ActivityId | RelatedActivityId | ContainerLog | MatchedQueryIds | Bookmark | LevelDisplayName | OpcodeDisplayName | TaskDisplayName | KeywordsDisplayNames | Properties |
|---|
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x10584B
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x12e4
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:29:09 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA99205 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:28:45 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA99205 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:28:45 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA97696 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:28:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA97696 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:28:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8559F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:28:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA8FB72 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA8FB72 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA8F360 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA8F360 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8DCBE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8DCBE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8DCBE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89579
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89579
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA89579
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:28:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA85F64
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA85F64
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA85F64
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA85463
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8559F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8559F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8554A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8554A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA8554A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14967 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA85505
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA85505
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA85505
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA85463
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3978822120-1120222721-3383101340-6747582
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA85463
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: ED2801E8-3E01-42C5-9C07-A6C9BEF56600
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA83E9B | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA83E9B | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA8240B | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:43 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA8240B | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:43 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6CA34
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA7A77B | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:28 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA7A77B | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:28 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA79F39 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:23 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA79F39 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:23 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA7957C | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:18 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA7957C | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:18 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA77E41
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA77E41
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA77E41
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:27:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA719AC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA719AC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA719AC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6D3FB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:43 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6D3FB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:43 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6D3FB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:43 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:43 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6C8F8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6CA34
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6CA34
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6C9DF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6C9DF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6C9DF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6C99A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6C99A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6C99A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6C8F8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3309317821-1179508805-937252262-3185446361
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA6C8F8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C5402EBD-E045-464D-A655-DD37D90DDEBD
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C8C5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F816F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:26:18 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA5654A | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA5654A | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:26:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D9208
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:25:39 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EE089
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:25:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18AE7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:25:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28E85
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:25:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA37589 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:25:17 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0xA37589 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:25:17 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA34184
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:25:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA34184
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:25:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA34184
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:25:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:25:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2E206
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2E206
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2E206
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2997C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2997C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2997C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14901 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28D49
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28E85
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28E85
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28E30
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28E30
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28E30
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28DEB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28DEB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28DEB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28D49
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14887 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3017905129-1256573862-1142187158-1826678304
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA28D49
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14886 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B3E193E9-CBA6-4AE5-9664-144420E6E06C
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14885 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2429E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14884 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2429E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14883 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:44 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA2429E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14882 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:44 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14881 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:44 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA1DE36
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14880 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA1DE36
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14879 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA1DE36
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14878 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14877 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA197D4
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14876 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA197D4
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14875 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:27 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA197D4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14874 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:27 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14873 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:27 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA189AC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14872 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18AE7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14871 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18AE7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14870 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14869 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18A92
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14868 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18A92
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14867 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18A92
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14866 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14865 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18A4D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14864 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18A4D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14863 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA18A4D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14862 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14861 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA189AC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14860 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3055920031-1084263020-466620058-3987381897
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA189AC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14859 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B625A39F-8A6C-40A0-9A0E-D01B899EAAED
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14858 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA12721
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14857 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA12721
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14856 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:21 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA12721
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14855 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:21 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14854 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:21 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA009A8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14853 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA009A8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14852 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA009A8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14851 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14850 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA00421
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14849 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA00421
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14848 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0xA00421
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14847 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14846 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9FFAC6 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14845 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9FFAC6 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14844 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14843 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14842 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F75CC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14841 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F816F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14840 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F816F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14839 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14838 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F7F1E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14837 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F7F1E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14836 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F7F1E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14835 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14834 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F7DCC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14833 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F7DCC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14832 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F7DCC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14831 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14830 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F75CC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14829 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2769826829-1126700814-604830345-1272575161
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9F75CC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14828 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: A518340D-170E-4328-89FA-0C24B9F4D94B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14827 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9F63FC | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14826 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9F63FC | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14825 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:24:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EF019
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14824 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EF019
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14823 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EF019
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14822 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14821 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9EE9CB | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14820 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9EE9CB | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14819 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDEF5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14818 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:24:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EE089
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14817 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EE089
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14816 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14815 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EE01D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14814 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EE01D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14813 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EE01D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14812 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14811 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDF96
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14810 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDF96
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14809 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDF96
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14808 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14807 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDEF5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14806 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1859827266-1302731242-1489313425-679816676
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9EDEF5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14805 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 6EDAB642-19EA-4DA6-911E-C558E42D8528
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14804 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9EBAB1 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14803 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9EBAB1 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14802 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9EB1EB | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14801 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9EB1EB | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14800 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9B7E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14799 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9B7E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14798 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9E9B7E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14797 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14796 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9E916C | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14795 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x9E916C | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14794 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99EA76
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14793 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9DD686
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14792 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9DD686
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14791 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:38 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9DD686
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14790 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:38 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14789 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:38 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D9C7D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14788 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D9C7D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14787 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D9C7D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14786 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14785 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D90B2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14784 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D9208
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14783 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D9208
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14782 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14781 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D91B3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14780 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D91B3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14779 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D91B3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14778 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14777 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D916E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14776 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D916E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14775 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D916E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14774 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14773 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D90B2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14772 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3749555174-1093282496-531286668-3967011949
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9D90B2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14771 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DF7DABE6-2AC0-412A-8CCA-AA1F6DCC73EC
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14770 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF23C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14769 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x984947
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14768 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:23:10 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C5A99
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14767 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:23:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C5A99
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14766 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:23:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C5A99
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14765 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:23:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14764 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:23:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C1655
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14763 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C1655
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14762 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9C1655
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14761 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14760 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93A0FE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14759 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:39 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B8852
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14758 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:38 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B8852
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14757 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:38 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B8852
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14756 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:38 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14755 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:38 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B0D65
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14754 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B0D65
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14753 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9B0D65
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14752 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14751 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF0F8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14750 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF23C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14749 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF23C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14748 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14747 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF1E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14746 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF1E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14745 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF1E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14744 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14743 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF1A2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14742 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF1A2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14741 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF1A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14740 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14739 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF0F8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14738 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4039590882-1207118443-861479299-2555743740
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9AF0F8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14737 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: F0C743E2-2A6B-47F3-8321-5933FC8D5598
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14736 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9FFC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14735 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9FFC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14734 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A9FFC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14733 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14732 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A56E2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14731 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A56E2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14730 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:11 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A56E2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14729 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:11 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14728 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:11 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E979
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14727 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A051A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14726 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A051A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14725 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9A051A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14724 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14723 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99E884
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14722 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99EA76
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14721 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99EA76
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14720 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14719 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99EA1B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14718 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99EA1B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14717 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99EA1B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14716 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14715 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99E9D0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14714 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99E9D0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14713 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99E9D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14712 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14711 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99E884
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14710 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3834945667-1210265621-3660353711-612393972
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99E884
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14709 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E494A083-3015-4823-AF90-2CDAF4638024
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14708 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:05 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99C01F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14707 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99C01F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14706 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x99C01F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14705 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14704 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:22:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C6B3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14703 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:57 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x990DB6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14702 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:54 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x990DB6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14701 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x990DB6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14700 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14699 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C2C8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14698 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C8C5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14697 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C8C5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14696 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14695 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C7B3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14694 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C7B3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14693 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C7B3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14692 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14691 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C72E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14690 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C72E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14689 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C72E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14688 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14687 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C2C8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14686 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3907082497-1132475471-86930602-815174297
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98C2C8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14685 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E8E15901-344F-4380-AA74-2E0599929630
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14684 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98ABAA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14683 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98ABAA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14682 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x98ABAA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14681 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14680 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9854FF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14679 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9854FF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14678 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9854FF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14677 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14676 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x984804
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14675 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x984947
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14674 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x984947
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14673 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14672 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9848F2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14671 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9848F2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14670 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9848F2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14669 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14668 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9848AD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14667 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9848AD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14666 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9848AD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14665 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14664 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x984804
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14663 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2580900548-1307812964-1278290602-987759867
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x984804
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14662 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 99D56AC4-A464-4DF3-AA2A-314CFB04E03A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14661 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E8A54
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14660 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C87A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14659 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:21:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96875B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14658 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:20:45 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96875B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14657 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:20:45 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x96875B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14656 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:20:45 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14655 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:20:45 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x962578 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14654 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:20:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x962578 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14653 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:20:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95F56D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14652 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95F56D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14651 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95F56D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14650 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14649 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E82D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14648 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E979
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14647 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E979
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14646 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14645 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E91C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14644 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E91C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14643 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E91C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14642 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14641 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E8D2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14640 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E8D2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14639 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E8D2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14638 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14637 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E82D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14636 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-967545419-1269931880-1837573511-1002750453
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x95E82D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14635 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 39AB924B-9F68-4BB1-8725-876DF5C1C43B
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14634 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x95C54B | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14633 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x95C54B | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14632 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E07E5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14631 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x94D051
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14630 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:12 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x94D051
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14629 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:12 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x94D051
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14628 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:12 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14627 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:12 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93E9D5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14626 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93E9D5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14625 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93E9D5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14624 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14623 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:20:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93AC38
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14622 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93AC38
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14621 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93AC38
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14620 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14619 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x939FC2
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14618 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93A0FE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14617 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93A0FE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14616 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14615 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93A0A9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14614 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93A0A9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14613 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93A0A9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14612 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14611 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93A064
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14610 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93A064
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14609 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x93A064
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14608 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14607 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x939FC2
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14606 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2197418220-1305399942-817563297-3106397382
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x939FC2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14605 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 82F9F0EC-D286-4DCE-A106-BB30C6DC27B9
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14604 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9327B1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14603 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9327B1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14602 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9327B1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14601 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14600 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAFAB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14599 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:21 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x926891
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14598 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:20 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x926891
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14597 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:20 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x926891
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14596 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:20 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14595 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:20 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91C5B5
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14594 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91C5B5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14593 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x91C5B5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14592 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14591 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:19:16 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C42A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14590 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C6B3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14589 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C6B3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14588 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14587 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C614
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14586 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C614
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14585 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C614
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14584 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14583 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C5AF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14582 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C5AF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14581 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C5AF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14580 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14579 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C42A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14578 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3961085999-1235959904-154779035-2007037066
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90C42A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14577 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: EC19602F-4060-49AB-9BBD-39098AF4A077
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14576 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90AE0E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14575 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:13 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90AE0E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14574 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:13 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x90AE0E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14573 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:13 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14572 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:13 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9003B3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14571 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9003B3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14570 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x9003B3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14569 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14568 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EDA11
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14567 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F95FD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14566 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:06 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F95FD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14565 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:06 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8F95FD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14564 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:06 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14563 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:06 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8ED0
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14562 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:05 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E8906
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14561 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E8A54
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14560 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E8A54
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14559 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14558 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E89FF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14557 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E89FF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14556 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E89FF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14555 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14554 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E89B9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14553 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E89B9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14552 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E89B9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14551 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14550 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E8906
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14549 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2143487993-1202338400-2338885295-831622935
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E8906
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14548 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 7FC307F9-3A60-47AA-AF8E-688B178F9131
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14547 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5363
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14546 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5363
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14545 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E5363
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14544 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14543 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E2F83
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14542 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E2F83
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14541 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E2F83
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14540 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14539 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:19:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E0589
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14538 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E07E5
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14537 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E07E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14536 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14535 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E0786
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14534 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E0786
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14533 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E0786
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14532 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14531 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E0740
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14530 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E0740
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14529 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E0740
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14528 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14527 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E0589
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14526 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-4228934422-1136861567-2990354099-3596298163
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8E0589
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14525 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: FC106B16-217F-43C3-B32E-3DB2B3275BD6
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14524 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8DA840
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14523 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8DA840
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14522 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8DA840
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14521 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14520 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8C47
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14519 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8ED0
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14518 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8ED0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14517 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14516 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8E2E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14515 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8E2E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14514 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8E2E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14513 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14512 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8DA6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14511 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8DA6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14510 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8DA6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14509 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14508 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8C47
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14507 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3789497653-1201550643-3972708999-2257065913
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D8C47
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14506 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: E1DF2535-3533-479E-87BA-CAECB9178886
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14505 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D7DAA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14504 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D7DAA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14503 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8D7DAA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14502 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14501 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:18:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CAC1A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14500 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:18:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CAC1A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14499 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:18:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8CAC1A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14498 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:18:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14497 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:18:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C987C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14496 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:18:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C987C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14495 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:18:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C987C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14494 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:18:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14493 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:18:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C27ED
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14492 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C27ED
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14491 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C27ED
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14490 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14489 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C0FC6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14488 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C0FC6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14487 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8C0FC6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14486 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14485 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BFD84
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14484 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BFD84
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14483 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8BFD84
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14482 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14481 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F19D8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14480 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:18 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B3B1E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14479 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B3B1E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14478 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8B3B1E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14477 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14476 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8B2530 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14475 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8B2530 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14474 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:18:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8ADA4D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14473 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8ADA4D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14472 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8ADA4D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14471 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14470 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886BF9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14469 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:54 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A0325
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14468 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A0325
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14467 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8A0325
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14466 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14465 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x89DE45 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14464 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x89DE45 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14463 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89A344
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14462 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89A344
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14461 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x89A344
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14460 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14459 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x898E23
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14458 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:40 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x898E23
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14457 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:40 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x898E23
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14456 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:40 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14455 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:40 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x891205
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14454 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:17:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x891205
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14453 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:17:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x891205
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14452 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:17:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14451 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 4460 | hv-cinder-80674 | | 8/31/2021 2:17:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x890747
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14450 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:37 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x890747
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14449 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x890747
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14448 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14447 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:37 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886876
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14446 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886BF9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14445 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886BF9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14444 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14443 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886B07
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14442 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886B07
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14441 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886B07
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14440 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14439 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886A11
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14438 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886A11
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14437 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886A11
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14436 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14435 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886876
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14434 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2964550783-1249193732-1917078920-3230006859
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x886876
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14433 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: B0B3747F-2F04-4A75-884D-44724BFE85C0
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14432 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x885D8C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14431 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x885D8C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14430 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x885D8C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14429 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14428 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:36 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88454E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14427 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88454E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14426 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x88454E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14425 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14424 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:35 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x881C5A | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14423 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:34 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x881C5A | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14422 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:34 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87986E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14421 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:28 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87986E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14420 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:28 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x87986E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14419 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:28 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14418 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:28 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841EA3
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14417 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:24 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8653E2 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14416 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8653E2 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14415 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x864D41
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14414 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:19 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x864D41
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14413 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x864D41
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14412 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14411 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C3E7
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14410 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x85CCAA | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14409 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x85CCAA | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14408 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C87A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14407 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C87A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14406 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14405 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C7BE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14404 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C7BE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14403 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C7BE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14402 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14401 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C74E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14400 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C74E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14399 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C74E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14398 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14397 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C3E7
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14396 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3248769465-1303898713-862947726-1511791359
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85C3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14395 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: C1A449B9-EA59-4DB7-8E89-6F33FF1A1C5A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14394 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:15 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8576C1
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14393 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8576C1
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14392 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:11 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x8576C1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14391 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:11 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14390 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:11 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x855BDF | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14389 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x855BDF | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14388 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85001F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14387 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:04 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85001F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14386 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x85001F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14385 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14384 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:17:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8484FD | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14383 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8484FD | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14382 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x84533A | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14381 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x84533A | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14380 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x844F83
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14379 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x844F83
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14378 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x844F83
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14377 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14376 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:17:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x843B0F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14375 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:57 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x843B0F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14374 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x843B0F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14373 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14372 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x84331B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14371 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:57 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x84331B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14370 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x84331B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14369 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14368 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841D53
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14367 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841EA3
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14366 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841EA3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14365 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14364 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841E4A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14363 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841E4A
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14362 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841E4A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14361 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14360 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841E05
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14359 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841E05
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14358 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841E05
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14357 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14356 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841D53
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14355 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2038225868-1272615789-435849348-3612283107
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x841D53
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14354 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 797CDBCC-936D-4BDA-8488-FA19E3104FD7
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14353 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x840D1A | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14352 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x840D1A | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14351 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x83D962 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14350 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x83D962 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14349 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E796C
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14348 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:35 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82CD44
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14347 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:30 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82CD44
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14346 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:30 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x82CD44
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14345 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:30 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14344 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:30 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8258D7 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14343 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:30 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x8258D7 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14342 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:16:30 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x820AA7 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14341 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x820AA7 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14340 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:26 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80F5DB
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14339 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80F5DB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14338 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80F5DB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14337 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14336 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80B241
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14335 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:11 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80B241
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14334 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:11 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80B241
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14333 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:11 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14332 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:11 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80662B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14331 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:09 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80662B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14330 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:09 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x80662B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14329 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:09 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14328 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:09 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F9E8E
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14327 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:08 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F9E8E
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14326 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F9E8E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14325 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14324 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7F7ED2 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14323 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7F7ED2 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14322 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:08 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F27C9
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14321 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F27C9
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14320 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F27C9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14319 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14318 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F17E8
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14317 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F19D8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14316 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F19D8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14315 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14314 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F190D
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14313 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F190D
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14312 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F190D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14311 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14310 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F18B6
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14309 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F18B6
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14308 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F18B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14307 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14306 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F17E8
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14305 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3526212788-1218597432-2373793420-2476035498
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7F17E8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14304 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D22DBCB4-5238-48A2-8C36-7D8DAA4D9593
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14303 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:03 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EEDDC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14302 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EEDDC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14301 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EEDDC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14300 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14299 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7ED8CE
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14298 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EDA11
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14297 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EDA11
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14296 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14295 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7ED9BC
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14294 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7ED9BC
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14293 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7ED9BC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14292 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14291 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7ED977
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14290 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7ED977
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14289 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7ED977
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14288 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14287 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7ED8CE
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14286 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-3513039570-1231459962-2007438006-2318624304
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7ED8CE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14285 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: D164BAD2-967A-4966-B612-A7773066338A
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14284 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EBECA
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14283 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EBECA
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14282 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EBECA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14281 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14280 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:16:00 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAE66
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14279 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAFAB
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14278 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAFAB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14277 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14276 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAF56
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14275 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAF56
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14274 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAF56
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14273 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14272 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAF0F
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14271 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAF0F
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14270 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAF0F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14269 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14268 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAE66
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14267 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-2641432884-1179403359-2678644401-72429902
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7EAE66
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14266 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 9D711134-445F-464C-B1DE-A89F4E315104
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14265 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E90DF
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14264 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E90DF
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14263 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E90DF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14262 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14261 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E6C4B
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14260 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E796C
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14259 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E796C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14258 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14257 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E77DD
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14256 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E77DD
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14255 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E77DD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14254 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14253 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E7768
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14252 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E7768
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14251 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E7768
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14250 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14249 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:58 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E6C4B
Privileges: SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14248 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-83-1-1950048534-1090019323-1412430773-3538388757
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon ID: 0x7E6C4B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14247 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: 743B6116-5FFB-40F8-B5FB-2F541587E7D2
Account Domain: NT VIRTUAL MACHINE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14246 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7E1E15 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14245 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7E1E15 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14244 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7DCE2C | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14243 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7DCE2C | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14242 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to unregister a security event source.
Subject
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7D6861 | 4905 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14241 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:34 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to register a security event source.
Subject :
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Process:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit
Event Source ID: 0x7D6861 | 4904 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14240 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 2:15:34 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14239 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:30 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14238 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:15:30 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x10584B
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x1114
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14237 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 1852 | hv-cinder-80674 | | 8/31/2021 2:13:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x10584B
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x12a0
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14236 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2920 | hv-cinder-80674 | | 8/31/2021 2:13:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14235 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:50:40 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14234 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:50:40 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14233 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:28:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14232 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:28:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x10584B
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0x9f8
Process Name: C:\Program Files\Git\usr\bin\bash.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14231 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:28:40 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x10584B
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0x1398
Process Name: C:\Program Files\Git\usr\bin\bash.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14230 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:28:39 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x10584B
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0x13a4
Process Name: C:\Program Files\Git\usr\bin\bash.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14229 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:28:39 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14228 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:26:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14227 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:26:10 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x10584B
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14226 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:25:20 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x10584B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14225 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:25:20 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14224 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:25:20 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14223 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:25:20 PM | 3ca09571-9e6b-0001-5b98-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x1028F2
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14222 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:25:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x1028F2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14221 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:25:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14220 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:25:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14219 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:25:19 PM | 3ca09571-9e6b-0003-0b98-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0xFBA34
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14218 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:25:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0xFBA34
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14217 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:25:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14216 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:25:14 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14215 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:25:14 PM | 3ca09571-9e6b-0001-4c98-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0xF8E53
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14214 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:25:13 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0xF8E53
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14213 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:25:13 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14212 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:25:13 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14211 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:25:13 PM | 3ca09571-9e6b-0000-5698-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0xF5909
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14210 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:25:12 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0xF5909
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14209 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:25:12 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14208 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:25:12 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14207 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:25:12 PM | 3ca09571-9e6b-0004-2898-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14206 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14205 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14204 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14203 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_92ae15e1-cdd1-4a31-b9aa-7cc044b777cf
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14202 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Create Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14201 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_92ae15e1-cdd1-4a31-b9aa-7cc044b777cf
Operation: Write persisted key to file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14200 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016 | 5061 | 0 | | 0 | 12290 | 0 | -9218868437227405312 | 14199 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Delete key file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14198 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14197 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14196 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14195 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14194 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Microsoft Connected Devices Platform device certificate
Key Type: User key.
Key File Operation Information:
File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14193 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:24:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x8AE58
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-500
Account Name: Administrator
Account Domain: HV-CINDER-80674 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14192 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:24:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x8AE58
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-500
Account Name: Administrator
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/31/2021 1:24:32 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14191 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:24:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x8AE58
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-500
Account Name: Administrator
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0x930
Process Name: C:\Windows\System32\net1.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14190 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:24:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x8AE58
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0xb4c
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14189 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:24:19 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x8AE58
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14188 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x8AE58
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14187 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14186 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14185 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:55 PM | 3ca09571-9e6b-0002-3796-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x2B71A
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14184 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:55 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x8913E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14183 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:52 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x8913E
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14182 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x8913E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14181 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14180 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14179 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:52 PM | 3ca09571-9e6b-0003-3496-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 527a2280-c654-4439-81fb-2ffb777ff10f
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14178 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:23:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: 527a2280-c654-4439-81fb-2ffb777ff10f
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9711a32f8e233892070e533dc9a38661_92ae15e1-cdd1-4a31-b9aa-7cc044b777cf
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14177 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:23:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x57c
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?08?-?31T13:23:50.325913300Z
New Time: ?2021?-?08?-?31T13:23:50.307000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14176 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 3612 | hv-cinder-80674 | | 8/31/2021 1:23:50 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14175 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/31/2021 1:23:48 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14174 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0xa8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14173 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0xa8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14172 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0xa8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14171 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:23:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14170 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:43 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14169 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:43 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0xa8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14168 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:42 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Member:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: -
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: - | 4732 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14167 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was logged off.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x7217A
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. | 4634 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 14166 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x22c
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14165 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:41 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon ID: 0x7217A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xa8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14164 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:39 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Admin
Account Domain: HV-CINDER-80674
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xa8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14163 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:39 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Admin
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14162 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:39 PM | 3ca09571-9e6b-0000-dc95-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14161 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:31 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: Admin
Display Name: Admin
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/31/2021 1:23:31 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x15
New UAC Value: 0x210
User Account Control:
Account Enabled
'Password Not Required' - Disabled
'Don't Expire Password' - Enabled
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14160 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:31 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was enabled.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674 | 4722 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14159 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:31 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was created.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
New Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: Admin
Account Domain: HV-CINDER-80674
Attributes:
SAM Account Name: Admin
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges - | 4720 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14158 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:31 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A member was added to a security-enabled global group.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Member:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1001
Account Name: -
Group:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-513
Group Name: None
Group Domain: HV-CINDER-80674
Additional Information:
Privileges: - | 4728 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14157 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:31 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14156 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x2B71A
Logon Information:
Logon Type: 4
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x54626
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xea8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14155 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14154 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:04 PM | 3ca09571-9e6b-0002-dc95-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x2B71A
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674 | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14153 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x2B71A
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/31/2021 1:23:04 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14152 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x2B71A
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0xea8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14151 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x2B71A
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0xea8
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14150 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:04 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Administrator
Account Domain: HV-CINDER-80674
Failure Information:
Failure Reason: The specified account's password has expired.
Status: 0xC0000224
Sub Status: 0x0
Process Information:
Caller Process ID: 0x22c
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4625 | 0 | | 0 | 12544 | 0 | -9218868437227405312 | 14149 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:02 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-500
Account Name: Administrator
Account Domain: HV-CINDER-80674
Process Information:
Process ID: 0xf40
Process Name: C:\Windows\System32\LogonUI.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14148 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:23:01 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14147 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14146 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:59 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14145 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x9b8
Process Name: C:\Windows\System32\vmms.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14144 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:57 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x22c
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14143 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:56 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14142 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14141 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14140 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14139 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:55 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14138 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_92ae15e1-cdd1-4a31-b9aa-7cc044b777cf
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14137 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: TSSecKeySet1
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14136 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: TSSecKeySet1
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_92ae15e1-cdd1-4a31-b9aa-7cc044b777cf
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14135 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14134 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14133 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x2B71A
Privileges: SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14132 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon ID: 0x2B71A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: HV-CINDER-80674
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14131 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: cloudbase-init
Account Domain: HV-CINDER-80674
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 14130 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: cloudbase-init
Source Workstation: HV-CINDER-80674
Error Code: 0x0 | 4776 | 0 | | 0 | 14336 | 0 | -9214364837600034816 | 14129 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:54 PM | 3ca09571-9e6b-0005-be95-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Credential Validation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key migration operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0 | 5059 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14128 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:22:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14127 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:22:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14126 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:22:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Cryptographic operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0 | 5061 | 0 | | 0 | 12290 | 0 | -9214364837600034816 | 14125 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:22:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | System Integrity | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11
Key Type: User key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc
Operation: Read persisted key from file.
Return Code: 0x0 | 5058 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14124 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:22:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14123 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14122 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 2484 | hv-cinder-80674 | | 8/31/2021 1:22:52 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14121 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:22:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14120 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:22:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14119 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:51 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x20EB0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14118 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14117 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14116 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14115 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14114 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14113 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14112 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14111 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14110 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14109 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14108 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x22c
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14107 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:50 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 14106 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x22c
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14105 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14104 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x22c
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14103 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-20
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E4
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x520
Process Name: C:\Windows\System32\svchost.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14102 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14101 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14100 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14099 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14098 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14097 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14096 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14095 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14094 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Process Information:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14093 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Process Information:
Process ID: 0x7bc
Process Name: C:\Windows\System32\VSSVC.exe | 4799 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14092 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14091 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14090 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:49 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x584
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?08?-?31T13:22:48.126355100Z
New Time: ?2021?-?08?-?31T13:22:48.854000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 14089 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | hv-cinder-80674 | | 8/31/2021 1:22:48 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14088 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14087 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:48 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14086 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14085 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14084 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:22:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 14083 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 852 | hv-cinder-80674 | | 8/31/2021 1:22:47 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x4fc
Process Information:
Process ID: 0x4f8
Process Name: C:\Windows\System32\oobe\msoobe.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 14082 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | hv-cinder-80674 | | 8/31/2021 1:22:47 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-513
Group Name: None
Group Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: None
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14081 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-513
Account Domain: HV-CINDER-80674
Old Account Name: None
New Account Name: None
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14080 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled global group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-513
Group Name: None
Group Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4737 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14079 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-503
Account Name: DefaultAccount
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14078 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-503
Account Name: DefaultAccount
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: DefaultAccount
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14077 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-501
Account Name: Guest
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14076 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-501
Account Name: Guest
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: Guest
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x215
New UAC Value: 0x215
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14075 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-500
Account Name: Administrator
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14074 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-500
Account Name: Administrator
Account Domain: HV-CINDER-80674
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x10
User Account Control: -
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14073 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: System Managed Accounts Group
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14072 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-581
Account Domain: Builtin
Old Account Name: System Managed Accounts Group
New Account Name: System Managed Accounts Group
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14071 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-581
Group Name: System Managed Accounts Group
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14070 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Storage Replica Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14069 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-582
Account Domain: Builtin
Old Account Name: Storage Replica Administrators
New Account Name: Storage Replica Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14068 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-582
Group Name: Storage Replica Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14067 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Management Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14066 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-580
Account Domain: Builtin
Old Account Name: Remote Management Users
New Account Name: Remote Management Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14065 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-580
Group Name: Remote Management Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14064 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Access Control Assistance Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14063 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-579
Account Domain: Builtin
Old Account Name: Access Control Assistance Operators
New Account Name: Access Control Assistance Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14062 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-579
Group Name: Access Control Assistance Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14061 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Hyper-V Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14060 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-578
Account Domain: Builtin
Old Account Name: Hyper-V Administrators
New Account Name: Hyper-V Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14059 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-578
Group Name: Hyper-V Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14058 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Management Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14057 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-577
Account Domain: Builtin
Old Account Name: RDS Management Servers
New Account Name: RDS Management Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14056 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-577
Group Name: RDS Management Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14055 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Endpoint Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14054 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-576
Account Domain: Builtin
Old Account Name: RDS Endpoint Servers
New Account Name: RDS Endpoint Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14053 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-576
Group Name: RDS Endpoint Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14052 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: RDS Remote Access Servers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14051 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-575
Account Domain: Builtin
Old Account Name: RDS Remote Access Servers
New Account Name: RDS Remote Access Servers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14050 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-575
Group Name: RDS Remote Access Servers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14049 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Certificate Service DCOM Access
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14048 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-574
Account Domain: Builtin
Old Account Name: Certificate Service DCOM Access
New Account Name: Certificate Service DCOM Access
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14047 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-574
Group Name: Certificate Service DCOM Access
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14046 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Event Log Readers
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14045 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-573
Account Domain: Builtin
Old Account Name: Event Log Readers
New Account Name: Event Log Readers
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14044 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-573
Group Name: Event Log Readers
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14043 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Cryptographic Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14042 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-569
Account Domain: Builtin
Old Account Name: Cryptographic Operators
New Account Name: Cryptographic Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14041 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-569
Group Name: Cryptographic Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14040 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: IIS_IUSRS
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14039 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-568
Account Domain: Builtin
Old Account Name: IIS_IUSRS
New Account Name: IIS_IUSRS
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14038 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14037 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Distributed COM Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14036 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-562
Account Domain: Builtin
Old Account Name: Distributed COM Users
New Account Name: Distributed COM Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14035 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-562
Group Name: Distributed COM Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14034 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Log Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14033 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-559
Account Domain: Builtin
Old Account Name: Performance Log Users
New Account Name: Performance Log Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14032 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-559
Group Name: Performance Log Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14031 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Performance Monitor Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14030 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-558
Account Domain: Builtin
Old Account Name: Performance Monitor Users
New Account Name: Performance Monitor Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14029 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-558
Group Name: Performance Monitor Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14028 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Power Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14027 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-547
Account Domain: Builtin
Old Account Name: Power Users
New Account Name: Power Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14026 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-547
Group Name: Power Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14025 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Network Configuration Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14024 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-556
Account Domain: Builtin
Old Account Name: Network Configuration Operators
New Account Name: Network Configuration Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14023 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-556
Group Name: Network Configuration Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14022 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Remote Desktop Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14021 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-555
Account Domain: Builtin
Old Account Name: Remote Desktop Users
New Account Name: Remote Desktop Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14020 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-555
Group Name: Remote Desktop Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14019 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Replicator
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14018 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-552
Account Domain: Builtin
Old Account Name: Replicator
New Account Name: Replicator
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14017 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-552
Group Name: Replicator
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14016 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Backup Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14015 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-551
Account Domain: Builtin
Old Account Name: Backup Operators
New Account Name: Backup Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14014 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-551
Group Name: Backup Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14013 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Guests
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14012 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-546
Account Domain: Builtin
Old Account Name: Guests
New Account Name: Guests
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14011 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-546
Group Name: Guests
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14010 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Users
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14009 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-545
Account Domain: Builtin
Old Account Name: Users
New Account Name: Users
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14008 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-545
Group Name: Users
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14007 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Administrators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14006 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-544
Account Domain: Builtin
Old Account Name: Administrators
New Account Name: Administrators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14005 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14004 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: Print Operators
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14003 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The name of an account was changed:
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-32-550
Account Domain: Builtin
Old Account Name: Print Operators
New Account Name: Print Operators
Additional Information:
Privileges: - | 4781 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 14002 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A security-enabled local group was changed.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Group:
Security ID: S-1-5-32-550
Group Name: Print Operators
Group Domain: Builtin
Changed Attributes:
SAM Account Name: -
SID History: -
Additional Information:
Privileges: - | 4735 | 0 | | 0 | 13826 | 0 | -9214364837600034816 | 14001 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 896 | hv-cinder-80674 | | 8/31/2021 1:22:46 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security Group Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 14000 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:34 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13999 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:34 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13998 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:34 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13997 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:34 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13996 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13995 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13994 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13993 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB55E
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13992 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB54C
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13991 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB55E
Linked Logon ID: 0xB54C
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d8
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13990 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0xB54C
Linked Logon ID: 0xB55E
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2d8
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13989 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2d8
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13988 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13987 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13986 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:33 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13985 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: HV-CINDER-80674$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x324
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13984 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 860 | hv-cinder-80674 | | 8/31/2021 1:22:32 PM | 3ca09571-9e6b-0005-7795-a03c6b9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x617E | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13983 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 864 | hv-cinder-80674 | | 8/31/2021 1:22:32 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13982 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 824 | hv-cinder-80674 | | 8/31/2021 1:22:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13981 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 820 | 824 | hv-cinder-80674 | | 8/31/2021 1:22:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x334
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b4
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13980 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | hv-cinder-80674 | | 8/31/2021 1:22:31 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x324
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b4
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13979 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 384 | hv-cinder-80674 | | 8/31/2021 1:22:30 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2d8
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x294
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13978 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | hv-cinder-80674 | | 8/31/2021 1:22:30 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2b4
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x248
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13977 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | hv-cinder-80674 | | 8/31/2021 1:22:30 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x29c
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x294
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13976 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | hv-cinder-80674 | | 8/31/2021 1:22:30 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x294
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x18c
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13975 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 32 | hv-cinder-80674 | | 8/31/2021 1:22:30 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x254
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x248
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13974 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | hv-cinder-80674 | | 8/31/2021 1:22:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x248
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x18c
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13973 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | hv-cinder-80674 | | 8/31/2021 1:22:29 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x218
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x18c
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13972 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | hv-cinder-80674 | | 8/31/2021 1:22:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18c
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13971 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-80674 | | 8/31/2021 1:22:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x188
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13970 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-80674 | | 8/31/2021 1:22:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13969 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | hv-cinder-80674 | | 8/31/2021 1:22:26 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x5e0
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?08?-?31T13:22:16.536146100Z
New Time: ?2021?-?08?-?31T13:22:16.529000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13968 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 564 | WIN-5T344G8GM1H | | 8/31/2021 1:22:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13967 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 1316 | 1736 | WIN-5T344G8GM1H | | 8/31/2021 1:22:16 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13966 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 8/31/2021 1:22:11 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13965 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 8/31/2021 1:22:11 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13964 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 8/31/2021 1:21:54 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Target Account:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: cloudbase-init
Display Name: cloudbase-init
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 8/31/2021 1:21:54 PM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13963 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 8/31/2021 1:21:54 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0x46c
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13962 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 8/31/2021 1:21:54 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
User:
Security ID: S-1-5-21-3708509248-1531829339-1846566269-1000
Account Name: cloudbase-init
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0x46c
Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13961 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 8/31/2021 1:21:54 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Auditing settings on object were changed.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\Temp\winre\ExtractedFromWim
Handle ID: 0x348
Process Information:
Process ID: 0x4b0
Process Name: C:\Windows\System32\oobe\Setup.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) | 4907 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13960 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 472 | WIN-5T344G8GM1H | | 8/31/2021 1:21:27 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13959 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 8/31/2021 1:21:20 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13958 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 8/31/2021 1:21:20 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall service started successfully. | 5024 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13957 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:16 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x626A7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13956 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13955 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13954 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13953 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13952 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 868 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13951 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13950 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13949 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13948 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13947 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13946 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:15 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Windows Firewall Driver started successfully. | 5033 | 0 | | 0 | 12292 | 0 | -9214364837600034816 | 13945 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/31/2021 1:21:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other System Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13944 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:14 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13943 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:14 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13942 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:14 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13941 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:14 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x524
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2021?-?08?-?31T13:21:13.458811100Z
New Time: ?2021?-?08?-?31T13:21:14.109000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13940 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 564 | WIN-5T344G8GM1H | | 8/31/2021 1:21:14 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13939 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:13 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13938 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:13 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13937 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:13 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13936 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:13 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13935 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:05 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13934 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:05 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13933 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:05 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13932 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:05 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13931 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13930 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57509
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13929 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x574E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13928 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x57509
Linked Logon ID: 0x574E4
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2e4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13927 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-90-0-1
Account Name: DWM-1
Account Domain: Window Manager
Logon ID: 0x574E4
Linked Logon ID: 0x57509
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x2e4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13926 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A logon was attempted using explicit credentials.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-1
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x2e4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. | 4648 | 0 | | 0 | 12544 | 0 | -9214364837600034816 | 13925 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13924 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13923 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13922 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-20
Account Name: NETWORK SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13921 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 912 | WIN-5T344G8GM1H | | 8/31/2021 1:21:04 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13920 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 8/31/2021 1:21:03 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x32c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13919 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 860 | WIN-5T344G8GM1H | | 8/31/2021 1:21:03 PM | fe2e3242-9e6a-0005-4832-2efe6a9ed701 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The Per-user audit policy table was created.
Number of Elements: 0
Policy ID: 0x4FFBD | 4902 | 0 | | 0 | 13568 | 0 | -9214364837600034816 | 13918 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 876 | WIN-5T344G8GM1H | | 8/31/2021 1:21:03 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Audit Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 0
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13917 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 828 | WIN-5T344G8GM1H | | 8/31/2021 1:21:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. | 4608 | 0 | | 0 | 12288 | 0 | -9214364837600034816 | 13916 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 824 | 828 | WIN-5T344G8GM1H | | 8/31/2021 1:21:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x338
New Process Name: C:\Windows\System32\lsass.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b8
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13915 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 8/31/2021 1:21:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x32c
New Process Name: C:\Windows\System32\services.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x2b8
Creator Process Name: C:\Windows\System32\wininit.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13914 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 8/31/2021 1:21:02 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2e4
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x29c
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13913 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 8/31/2021 1:21:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2b8
New Process Name: C:\Windows\System32\wininit.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x258
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13912 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 8/31/2021 1:21:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2a4
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x29c
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13911 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 8/31/2021 1:21:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x29c
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13910 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 8/31/2021 1:21:01 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x264
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x258
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13909 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 592 | WIN-5T344G8GM1H | | 8/31/2021 1:21:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x258
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13908 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 592 | WIN-5T344G8GM1H | | 8/31/2021 1:21:00 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x238
New Process Name: C:\Windows\System32\setupcl.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13907 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 376 | WIN-5T344G8GM1H | | 8/31/2021 1:20:44 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x208
New Process Name: C:\Windows\System32\autochk.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x1e4
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13906 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 188 | WIN-5T344G8GM1H | | 8/31/2021 1:20:42 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e4
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13905 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 212 | WIN-5T344G8GM1H | | 8/31/2021 1:20:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A new process has been created.
Creator Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
Target Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e0
New Process Name:
Token Elevation Type: %%1936
Mandatory Label: S-1-16-16384
Creator Process ID: 0x4
Creator Process Name:
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. | 4688 | 2 | | 0 | 13312 | 0 | -9214364837600034816 | 13904 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/31/2021 1:20:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Process Creation | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Boot Configuration Data loaded.
Subject:
Security ID: S-1-5-18
Account Name: -
Account Domain: -
Logon ID: 0x3E7
General Settings:
Load Options: -
Advanced Options: No
Configuration Access Policy: Default
System Event Logging: No
Kernel Debugging: No
VSM Launch Type: Auto
Signature Settings:
Test Signing: No
Flight Signing: No
Disable Integrity Checks: No
HyperVisor Settings:
HyperVisor Load Options: -
HyperVisor Launch Type: Auto
HyperVisor Debugging: No | 4826 | 0 | | 0 | 13573 | 0 | -9214364837600034816 | 13903 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 136 | WIN-5T344G8GM1H | | 8/31/2021 1:20:41 PM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Other Policy Change Events | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x4dc
Name: C:\Windows\System32\svchost.exe
Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z
New Time: ?2018?-?01?-?19T09:48:13.152000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. | 4616 | 1 | | 0 | 12288 | 0 | -9214364837600034816 | 13902 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 4 | 1980 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Security State Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The event logging service has shut down. | 1100 | 0 | | 4 | 103 | 0 | 4620693217682128896 | 13901 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1144 | WIN-5T344G8GM1H | | 1/19/2018 9:48:13 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Service shutdown | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| User initiated logoff:
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. | 4647 | 0 | | 0 | 12545 | 0 | -9214364837600034816 | 13900 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:48:12 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logoff | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13899 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13898 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 3024 | WIN-5T344G8GM1H | | 1/19/2018 9:48:11 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13897 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13896 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 756 | WIN-5T344G8GM1H | | 1/19/2018 9:48:10 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age:
Max. Password Age:
Force Logoff:
Lockout Threshold:
Lockout Observation Window:
Lockout Duration:
Password Properties:
Min. Password Length:
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: -
Domain Behavior Version: -
OEM Information: 1
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13895 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x10
User Account Control:
'Don't Expire Password' - Disabled
User Parameters: <value not set>
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13894 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An attempt was made to reset an account's password.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H | 4724 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13893 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user account was changed.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Target Account:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Changed Attributes:
SAM Account Name: Administrator
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: 1/19/2018 9:47:34 AM
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x210
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: All
Additional Information:
Privileges: - | 4738 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13892 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
Domain:
Domain Name: WIN-5T344G8GM1H
Domain ID: S-1-5-21-416071247-492812682-1642729393
Changed Attributes:
Min. Password Age: ??
Max. Password Age:
Force Logoff: ??
Lockout Threshold:
Lockout Observation Window: -
Lockout Duration: -
Password Properties: -
Min. Password Length: -
Password History Length: 0
Machine Account Quota: 0
Mixed Domain Mode: 0
Domain Behavior Version: -
OEM Information: -
Additional Information:
Privileges: - | 4739 | 0 | | 0 | 13569 | 0 | -9214364837600034816 | 13891 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Authentication Policy Change | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| A user's local group membership was enumerated.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Logon ID: 0x1F0E3
User:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Account Domain: WIN-5T344G8GM1H
Process Information:
Process ID: 0xfac
Process Name: C:\Windows\System32\Sysprep\sysprep.exe | 4798 | 0 | | 0 | 13824 | 0 | -9214364837600034816 | 13890 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:34 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | User Account Management | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege | 4672 | 0 | | 0 | 12548 | 0 | -9214364837600034816 | 13889 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Special Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: WIN-5T344G8GM1H$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. | 4624 | 2 | | 0 | 12544 | 0 | -9214364837600034816 | 13888 | Microsoft-Windows-Security-Auditing | 54849625-5478-4994-a5ba-3e3b0328c30d | Security | 664 | 716 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | ad8d0f9c-9109-0000-b10f-8dad0991d301 | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Logon | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |
| The audit log was cleared.
Subject:
Security ID: S-1-5-21-416071247-492812682-1642729393-500
Account Name: Administrator
Domain Name: WIN-5T344G8GM1H
Logon ID: 0x1F0E3 | 1102 | 0 | | 4 | 104 | 0 | 4620693217682128896 | 13887 | Microsoft-Windows-Eventlog | fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148 | Security | 436 | 1136 | WIN-5T344G8GM1H | | 1/19/2018 9:47:33 AM | | | security | System.UInt32[] | System.Diagnostics.Eventing.Reader.EventBookmark | Information | Info | Log clear | System.Collections.ObjectModel.ReadOnlyCollection`1[System.String] | System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty] |