MessageIdVersionQualifiersLevelTaskOpcodeKeywordsRecordIdProviderNameProviderIdLogNameProcessIdThreadIdMachineNameUserIdTimeCreatedActivityIdRelatedActivityIdContainerLogMatchedQueryIdsBookmarkLevelDisplayNameOpcodeDisplayNameTaskDisplayNameKeywordsDisplayNamesProperties
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xF46D4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x518 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481615500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:25:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8379D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:24:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848CA0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:24:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x856875 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:24:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x856875 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:24:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x856875 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:24:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:24:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x84CC7A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x84CC7A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:59 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x84CC7A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:59 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:59 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x84969E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x84969E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x84969E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848B64 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848CA0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848CA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848C4B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848C4B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848C4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848C06 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848C06 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848C06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848B64 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681544361-1123623177-1769441928-688728227 Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x848B64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD51EA9-2109-42F9-888A-7769A3280D29 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8472B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8472B8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8472B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:22:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83BCD9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83BCD9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83BCD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8383A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8383A3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8383A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x837890 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8379D0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x8379D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83797B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83797B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x83797B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x837936 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x837936 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x837936 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x837890 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1307042592-1246770559-3981306537-3929891635 Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x837890 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DE7E320-357F-4A50-A9EA-4DED33633DEA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:20:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822CDA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:19:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x82803A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x82803A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x82803A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x824886 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x824886 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x824886 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822B8B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822CDA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822CDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822C85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822C85 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822C85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822C3F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:18:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822C3F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822C3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822B8B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3530464400-1185730165-810367153-651697062 Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x822B8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D26E9C90-CE75-46AC-B138-4D30A61BD826 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:18:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B875 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:18:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x810FE8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x810FE8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x810FE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80D6E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80D6E8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:46 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80D6E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:46 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:46 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B726 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B875 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B875 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B820 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B820 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B820 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B7DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B7DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B7DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B726 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-136783316-1160128762-4285854376-643204361 Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80B726 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 082725D4-28FA-4526-A8F2-74FF09855626 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F998E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:15:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7FD9BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7FD9BB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:46 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7FD9BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:46 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:46 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7FA403 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7FA403 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7FA403 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F9852 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F998E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F998E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F9939 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F9939 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F9939 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F98F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F98F4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F98F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F9852 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-938856541-1203933684-2594001846-3260882253 Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F9852 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37F5D05D-91F4-47C2-B653-9D9A4D1D5DC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:40 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E3859 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F3CC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F3CC8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:27 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F3CC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:27 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:13:27 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E7720 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E7720 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E7720 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E423C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E423C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E423C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E371D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E3859 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E3859 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E3804 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E3804 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E3804 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E37BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:11:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E37BF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E37BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E371D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231307053-1323333843-843678864-1237212307 Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E371D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C099D52D-78D3-4EE0-9084-4932935CBE49 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:11:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEEED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:10:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7D2EED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7D2EED Privileges: SeImpersonatePrivilege467200125480-921436483760003481615341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7D2EED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CF8BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CF8BE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CF8BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEDAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEEED Privileges: SeImpersonatePrivilege467200125480-921436483760003481615333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEEED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEE98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEE98 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEE98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEE53 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEE53 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEE53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEDAD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4168005342-1259783955-4051578771-4258221921 Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CEDAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F86EB6DE-C713-4B16-932F-7EF1614FCFFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA523 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8123884hv-neutron-82732/2/2022 1:09:27 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BE3C1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BE3C1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BE3C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BAEE6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BAEE6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BAEE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA3DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA523 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA523 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA4CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA4CE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA4CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA489 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA489 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA489 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA3DF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1120791585-1191051500-1559700610-3749531198 Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BA3DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42CDEC21-00EC-46FE-8224-F75C3E4E7DDF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:08:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7AD25F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:07:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7ABBE6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:07:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7AD25F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:07:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7AD25F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:07:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:07:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7AD20A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:07:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7AD20A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:07:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7AD20A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:07:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:07:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7AD1C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:07:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7AD1C5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:07:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7AD1C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:07:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:07:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7ABBE6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:07:08 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7ABBE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:07:08 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:07:08 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D8C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:07:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A1751 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A1751 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A1751 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79E2A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79E2A7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79E2A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D788 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D8C4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D8C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D86F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D86F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D86F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D82A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D82A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D82A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D788 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2718973544-1207335095-692178091-3503990766 Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79D788 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2103E68-78B7-47F6-ABCC-4129EEA7DAD0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:06:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7877E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:05:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78B727 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78B727 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:31 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78B727 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:31 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:31 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7881AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7881AF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7881AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7876A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7877E0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7877E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78778B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78778B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78778B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x787746 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:04:25 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x787746 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x787746 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7876A4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-672419146-1107243614-487688832-3357884871 Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7876A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28144D4A-325E-41FF-808A-111DC74125C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:04:25 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7759BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:04:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7798D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7798D3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7798D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x776376 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x776376 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x776376 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77587D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7759BD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7759BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x775968 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x775968 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x775968 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x775923 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:03:17 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x775923 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x775923 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77587D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-105559935-1107035686-3940492189-3471636710 Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77587D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 064AB77F-0626-41FC-9D23-DFEAE6F8ECCE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:03:17 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75969B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:02:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x761E6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x761E6F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x761E6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75D614 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75D614 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75D614 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75A069 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75A069 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75A069 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75955B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75969B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75969B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x759646 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x759646 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x759646 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x759601 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x759601 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x759601 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75955B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4106607625-1092334034-582036398-1590606083 Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75955B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4C5DC09-B1D2-411B-AE2B-B12203B9CE5E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:01:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74567D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 1:00:30 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DCE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:00:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DCE5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:00:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DCE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:00:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 1:00:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7495C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7495C3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7495C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74602E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74602E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:48 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74602E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:48 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:48 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74553D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74567D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74567D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745628 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745628 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745628 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7455DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7455DF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7455DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74553D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841818550-1323398980-13409963-880218682 Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74553D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4FD7FB6-7744-4EE1-AB9E-CC003A127734 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:59:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732F91 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:59:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73BA77 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73BA77 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:23 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73BA77 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:23 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:23 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x736F03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x736F03 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:03 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x736F03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:03 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:59:03 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73395C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73395C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:58 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73395C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:58 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:58 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732E56 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732F91 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732F91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732F3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732F3C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732F3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732EF7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732EF7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732EF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732E56 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-489973477-1338156734-812139173-3433268869 Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x732E56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1D3466E5-A6BE-4FC2-A542-68308586A3CC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718303 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x720208 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72415C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:11 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72415C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:11 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72415C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:11 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:11 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x720BEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x720BEB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x720BEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7200CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x720208 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x720208 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7201B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7201B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7201B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72016E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:58:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72016E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72016E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7200CC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-620803103-1285942382-1896775350-860049348 Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7200CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2500B41F-EC6E-4CA5-B67E-0E71C44F4333 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:58:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71C488 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71C488 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:59 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71C488 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:59 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:59 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718CBA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718CBA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718CBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7181C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718303 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718303 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7182AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7182AE Privileges: SeImpersonatePrivilege467200125480-921436483760003481615085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7182AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718269 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718269 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718269 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7181C8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3590397425-1214919595-734555578-4076692716 Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7181C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6011DF1-33AB-486A-BA6D-C82BEC64FDF2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70B10B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7082D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70B10B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70B10B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70B0B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70B0B6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70B0B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70B071 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:57:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70B071 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:57:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x70B071 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:57:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:57:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7082D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:57:16 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7082D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:57:16 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:57:16 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FEAE7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:57:01 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FB4A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FEAE7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FEAE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FEA92 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FEA92 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FEA92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FEA4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FEA4D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FEA4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FB4A6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FB4A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8D6D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:56:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F1BED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:56:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F1BED Privileges: SeImpersonatePrivilege467200125480-921436483760003481615041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:56:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F1BED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:56:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:56:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECF35 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECF35 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:58 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ECF35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:58 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:58 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E9735 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E9735 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E9735 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8C31 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8D6D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8D6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8D18 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8D18 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8D18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8CD3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8CD3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8CD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8C31 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1205746460-1194859336-1622294672-1216982719 Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8C31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47DE3B1C-1B48-4738-9040-B260BFAE8948 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DE84C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:55:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DD957 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DE84C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DE84C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DE7F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DE7F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DE7F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DE7B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DE7B2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DE7B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DD957 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DD957 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D3EE7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D2951 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D3EE7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D3EE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D3E92 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D3E92 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D3E92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D3E4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D3E4D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D3E4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D2951 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:34 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D2951 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:34 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:34 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C678F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA85B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA85B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:10 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CA85B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:10 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:10 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C7152 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:05 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C7152 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C7152 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:05 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C6654 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C678F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C678F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C673A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C673A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C673A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C66F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C66F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C66F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C6654 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4084711381-1082338572-1705079732-3941834675 Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C6654 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F377BFD5-2D0C-4083-B473-A165B39FF3EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:55:04 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB6D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:58 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA0A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB6D6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB6D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB681 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB681 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB681 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB63C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB63C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB63C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:51 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA0A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA0A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB1EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:54:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AF3B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AF3B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AF3B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ABC2A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ABC2A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ABC2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB0B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB1EE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB1EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB199 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB199 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB199 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB154 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB154 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB154 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB0B3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2950378742-1154689104-3619524227-3558202106 Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AB0B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AFDB34F6-2850-44D3-838E-BDD7FADA15D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:54:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0C90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:53:56 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69F6D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:53:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0C90 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:53:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0C90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:53:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:53:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0C3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:53:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0C3B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:53:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0C3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:53:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:53:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0BF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0BF6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0BF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69F6D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69F6D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x691116 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6952D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:09 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6952D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6952D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:09 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x691B4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x691B4E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x691B4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x690FDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x691116 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x691116 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6910C1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6910C1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6910C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69107C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69107C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69107C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x690FDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-374506363-1181910330-1562899612-370186980 Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x690FDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1652837B-853A-4672-9CF4-275DE49A1016 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:53:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6861EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:46 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684C3A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6861EA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6861EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686195 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686195 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686195 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686150 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686150 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x686150 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684C3A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x684C3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677653 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67B492 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67B492 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67B492 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:52:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x678006 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x678006 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x678006 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677518 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677653 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677653 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6775FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6775FE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6775FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6775B9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6775B9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6775B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677518 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-30601960-1187558301-269726890-3487552263 Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677518 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 01D2F2E8-B39D-46C8-AAB4-131007D3DFCF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:52:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D72A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C07A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D72A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D72A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D6D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D6D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D6D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D690 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D690 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D690 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C07A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C07A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EBCC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x662A1F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x662A1F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x662A1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F598 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F598 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:16 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F598 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:16 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:16 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EA8C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:16 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EBCC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EBCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EB77 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EB77 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EB77 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EB32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EB32 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EB32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EA8C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1224127986-1201816072-206673308-2192236151 Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65EA8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48F6B5F2-4208-47A2-9C95-510C77DEAA82 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:51:15 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654A6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6532E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654A6A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654A6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654A15 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654A15 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x654A15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6549D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6549D0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6549D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6532E7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6532E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:51:01 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645A5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x649834 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x649834 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x649834 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64640B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64640B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64640B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64591F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645A5A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645A5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645A05 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645A05 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645A05 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6459C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6459C0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6459C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64591F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1124843142-1247671991-1075274120-1427116217 Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64591F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 430BBE86-F6B7-4A5D-8861-1740B9101055 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x639A74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:15 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63D8A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:10 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63D8A8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:10 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63D8A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:10 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:10 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63A437 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63A437 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63A437 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x639934 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x639A74 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x639A74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x639A1F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x639A1F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x639A1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6399DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6399DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6399DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x639934 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2959225078-1084213819-3783226522-2246615234 Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x639934 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B06230F6-CA3B-409F-9A74-7FE1C2A0E885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:50:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AA12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:49:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62E869 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:06 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62E869 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62E869 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:06 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B455 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B455 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B455 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A8D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AA12 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AA12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A9BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A9BD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A9BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A978 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:49:02 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A978 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A978 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A8D6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173030785-1234987130-2369850551-964830371 Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62A8D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A503D81-687A-499C-B70C-418DA3248239 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:49:02 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601CB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:48:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6100AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:48:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C78B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6140A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:50 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6140A8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6140A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:50 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x610AEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x610AEB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:45 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x610AEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:45 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:45 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FF70 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6100AF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6100AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61005A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61005A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61005A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x610015 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x610015 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x610015 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FF70 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2849071454-1092785912-2117289365-829217846 Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60FF70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9D1615E-96F8-4122-9545-337E36DC6C31 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:44 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60B597 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:32 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60B597 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:32 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60B597 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:32 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:32 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E47F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602768 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602768 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602768 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601B74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601CB4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601CB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601C5F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601C5F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601C5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601C1A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601C1A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601C1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601B74 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3443251349-1156296773-501616774-1451987825 Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x601B74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CD3BD895-B045-44EB-8610-E61D71938B56 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:47:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D789B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:47:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F570B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:45:57 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F570B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:45:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F570B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:45:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:45:57 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EFC5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:45:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EFC5B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:45:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EFC5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:45:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124752hv-neutron-82732/2/2022 12:45:53 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:45:48 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:45:48 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E46A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:45:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E47F4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E47F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E479F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:45:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E479F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E479F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E4759 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:45:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E4759 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E4759 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E46A5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2321710000-1259622748-266959003-1926450961 Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E46A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A627BB0-515C-4B14-9B78-E90F114FD372 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:45:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB7E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB7E7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB7E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D82A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D82A9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D82A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D7760 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D789B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D789B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D7846 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D7846 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D7846 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D7801 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:44:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D7801 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D7801 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D7760 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402131776-1219026793-3462940578-1333488548 Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D7760 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 17F80B40-DF69-48A8-A247-68CEA46B7B4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:44:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF5D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:59 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CE169 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:34 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CE169 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:34 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CE169 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:34 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:34 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CA6F9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CA6F9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CA6F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C7765 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:23 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C78B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:23 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C78B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:23 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:23 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C785F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C785F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C785F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:43:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C7819 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C7819 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C7819 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C7765 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1122990991-1304035553-3800256691-887668491 Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C7765 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42EF7B8F-00E1-4DBA-B350-83E20BBFE834 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C46B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:12 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C46B1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C46B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:12 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFF91 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFF91 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFF91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF499 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF5D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF5D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF57F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF57F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF57F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF53A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF53A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF53A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF499 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4008421254-1099503778-3592796090-425472313 Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BF499 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EEEBA786-18A2-4189-BAB7-25D639315C19 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:43:07 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57848B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE963 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B2912 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B2912 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:42 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B2912 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:42 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:42 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AF36B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AF36B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AF36B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE824 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE963 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE963 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE90E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE90E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE90E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE8C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE8C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE8C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE824 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1798645205-1231231736-1428128422-443332372 Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE824 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B3525D5-1AF8-4963-A682-1F5514B76C1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:37 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A1761 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:29 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6932 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6932 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6932 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A218D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A218D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A218D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A1621 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A1761 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A1761 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A170C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A170C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A170C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A16C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A16C7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A16C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A1621 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398131245-1310003393-1530768318-2761311493 Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A1621 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8B5E2D-10C1-4E15-BEAB-3D5B054596A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F18C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:42:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E2A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:41:55 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x592354 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x592354 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x592354 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58ED65 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58ED65 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58ED65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E16E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E2A9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E2A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E254 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E254 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E254 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E20F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:41:13 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E20F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E20F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E16E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3158615213-1293723464-177582505-2043523344 Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58E16E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC44A4AD-A748-4D1C-A9B1-950A10B1CD79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:41:13 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58A0FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58A0FF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58A0FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x584405 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:47 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x584405 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x584405 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:47 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:42 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:42 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57833C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57848B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57848B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x578436 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x578436 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x578436 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5783F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5783F0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5783F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57833C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1342877575-1113149043-3467819707-3300168226 Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57833C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 500AAF87-4E73-4259-BBBA-B2CE2292B4C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5741F9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:24 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5741F9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5741F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:24 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56FB63 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56FB63 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56FB63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:19 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EFD1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F18C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F18C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F137 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F137 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F137 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F0F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:18 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F0F2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56F0F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EFD1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1666571890-1163805240-876394138-759417326 Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EFD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6355DE72-4238-455E-9AB6-3C34EEC9432D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:40:18 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548E68 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:51 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5558D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:45 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A54A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:28 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A54A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A54A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:28 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5565F3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5565F3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5565F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5556D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5558D5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5558D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555837 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555837 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555837 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5557ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:21 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5557ED Privileges: SeImpersonatePrivilege467200125480-921436483760003481614424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5557ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5556D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2045747567-1253415489-3113699208-2651222925 Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5556D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 79EFA16F-9A41-4AB5-8847-97B98D73069E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:21 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5511B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:08 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5511B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:08 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5511B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:08 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:08 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F638 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:03 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5498DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5498DC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5498DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548D2D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548E68 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548E68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548E13 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548E13 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548E13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548DCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548DCE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548DCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548D2D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3983448208-1324933688-107451575-3870484223 Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x548D2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ED6E9890-E238-4EF8-B794-6706FFE6B2E6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:39:00 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x541EEC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:22 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x541EEC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x541EEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:22 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53FFED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53FFED Privileges: SeImpersonatePrivilege467200125480-921436483760003481614389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53FFED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F4FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F638 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F638 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F5E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F5E3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F5E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F59E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:38:20 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F59E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F59E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F4FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179773801-1186838437-3984988060-3155673597 Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F4FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4651EB69-B7A5-46BD-9C17-86EDFDC117BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:38:20 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528BB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:38:19 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51237D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:53 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E823 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52F085 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:35 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52F085 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52F085 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5295C1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5295C1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5295C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528A7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528BB7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528BB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528B62 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528B62 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528B62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528B1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:37:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528B1D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528B1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528A7C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3481610869-1075585994-2382040238-3343727562 Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x528A7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CF852A75-23CA-401C-AE0C-FB8DCA3B4DC7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:37:26 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5229FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:54 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5229FE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5229FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:54 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51F224 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51F224 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51F224 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E6E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E823 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E823 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E7CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E7CE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E7CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E787 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E787 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E787 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E6E3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2266277696-1188950653-2649736375-1509398498 Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E6E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8714A740-F27D-46DD-B7C4-EF9DE297F759 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:36:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516816 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:42 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516816 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:42 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516816 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:42 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:42 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x512D56 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x512D56 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x512D56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51223D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51237D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51237D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x512328 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x512328 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x512328 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5122E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:35:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5122E3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5122E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51223D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3452134517-1219230845-355011478-3742912779 Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51223D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CDC36475-FC7D-48AB-960B-29150B5118DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:35:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D2A40 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:34:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D2626 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:32:31 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CDA13 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:32:26 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E326A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:52 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E326A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E326A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:52 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DFA2A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:48 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DFA2A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:48 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DFA2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:48 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:48 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D906B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:41 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D906B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D906B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:41 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D4453 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D4453 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D4453 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D3F2D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D3F2D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D3F2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D276C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D2A40 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D2A40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D29C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D29C0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D29C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D28E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D28E4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D28E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D276C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3365677963-1147962970-1148448391-524545650 Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D276C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C89C2B8B-865A-446C-87EE-734472EE431F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:39 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D246C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:39 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D2626 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D2626 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D25B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D25B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D25B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D2561 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D2561 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D2561 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D246C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769384506-1222592142-2721704587-2681166394 Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D246C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0AC3E3A-468E-48DF-8BEA-39A23A5ACF9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:38 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CE722 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CE722 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CE722 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CD886 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CDA13 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CDA13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CD9BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CD9BE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CD9BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CD975 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CD975 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CD975 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:33 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CD886 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:32 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-836767968-1319804722-4194708141-556645507 Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CD886 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:32 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 31E010E0-9F32-4EAA-AD2A-06FA83BC2D21 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:32 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:32 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124532hv-neutron-82732/2/2022 12:31:32 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xF46D4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1074 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124144hv-neutron-82732/2/2022 12:29:35 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xF46D4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x13c8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8124144hv-neutron-82732/2/2022 12:28:49 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 12:13:10 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 12:13:10 PMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 11:59:47 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8122268hv-neutron-82732/2/2022 11:59:47 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xF46D4 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Process Information: Process ID: 0x134c Process Name: C:\Program Files\Git\usr\bin\bash.exe479800138240-921436483760003481614219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:59:40 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:58:17 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:58:17 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xF46D4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:57:11 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xF46D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-NEUTRON-8273 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:57:11 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:57:11 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-NEUTRON-8273 Error Code: 0x0477600143360-921436483760003481614213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:57:11 AMa3b2bd0b-182b-0002-1dc0-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xE9CFE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:57:03 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xE9CFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-NEUTRON-8273 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:57:03 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:57:03 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-NEUTRON-8273 Error Code: 0x0477600143360-921436483760003481614209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:57:03 AMa3b2bd0b-182b-0004-e2bf-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xE45D1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:57:01 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0xE45D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-NEUTRON-8273 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:57:01 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:57:01 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-NEUTRON-8273 Error Code: 0x0477600143360-921436483760003481614205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:57:01 AMa3b2bd0b-182b-0002-75bf-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_0c68571f-159d-4e9c-81ec-a8505eee41cb Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0506100122900-921436483760003481614199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_0c68571f-159d-4e9c-81ec-a8505eee41cb Operation: Write persisted key to file. Return Code: 0x0505800122920-921436483760003481614198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016506100122900-921886843722740531214197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0505800122920-921436483760003481614196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x8A610 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-500 Account Name: Administrator Account Domain: HV-NEUTRON-8273472400138240-921436483760003481614190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:56:24 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x8A610 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-500 Account Name: Administrator Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 2/2/2022 11:56:24 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:56:24 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x8A610 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-500 Account Name: Administrator Account Domain: HV-NEUTRON-8273 Process Information: Process ID: 0x6f0 Process Name: C:\Windows\System32\net1.exe479800138240-921436483760003481614188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:56:24 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x8A610 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x56c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:56:14 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x2B296 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x8A610 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x8A610 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-NEUTRON-8273 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-NEUTRON-8273 Error Code: 0x0477600143360-921436483760003481614182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:54 AMa3b2bd0b-182b-0004-ddbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x59c Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?02?-?02T11:55:54.162216300Z New Time: ?2022?-?02?-?02T11:55:54.154000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity43168hv-neutron-82732/2/2022 11:55:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x8800A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x8800A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:48 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x8800A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-NEUTRON-8273 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:48 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:48 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-NEUTRON-8273 Error Code: 0x0477600143360-921436483760003481614176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:48 AMa3b2bd0b-182b-0001-f1be-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 1a9912ef-13a4-457a-b999-113c2bc88341 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:48 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 1a9912ef-13a4-457a-b999-113c2bc88341 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\149202c1182561e30c3412e66b79f1a8_0c68571f-159d-4e9c-81ec-a8505eee41cb Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:48 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273472400138240-921436483760003481614173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:45 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 2/2/2022 11:55:45 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:45 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Process Information: Process ID: 0x48c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:45 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Process Information: Process ID: 0x48c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:45 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Process Information: Process ID: 0x48c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:45 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:40 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:40 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Process Information: Process ID: 0x48c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:39 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Member: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:38 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x65FF9 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x220 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:38 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon ID: 0x65FF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x48c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: HV-NEUTRON-8273 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:37 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-NEUTRON-8273 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x48c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:37 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-NEUTRON-8273 Error Code: 0x0477600143360-921436483760003481614160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:37 AMa3b2bd0b-182b-0000-e1bd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273472400138240-921436483760003481614159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:34 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 2/2/2022 11:55:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:34 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273472200138240-921436483760003481614157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:34 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 New Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: Admin Account Domain: HV-NEUTRON-8273 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -472000138240-921436483760003481614156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:34 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Member: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1001 Account Name: - Group: Security ID: S-1-5-21-2376776370-2204618211-3899570595-513 Group Name: None Group Domain: HV-NEUTRON-8273 Additional Information: Privileges: -472800138260-921436483760003481614155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:34 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:09 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x2B296 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x54F96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xf00 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: HV-NEUTRON-8273 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:09 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: HV-NEUTRON-8273 Error Code: 0x0477600143360-921436483760003481614152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:09 AMa3b2bd0b-182b-0000-d8bd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x2B296 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273472400138240-921436483760003481614151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:09 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x2B296 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 2/2/2022 11:55:09 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:09 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x2B296 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Process Information: Process ID: 0xf00 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:09 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x2B296 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Process Information: Process ID: 0xf00 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:09 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: HV-NEUTRON-8273 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x220 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-NEUTRON-8273 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462500125440-921886843722740531214147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:04 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:04 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:04 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-500 Account Name: Administrator Account Domain: HV-NEUTRON-8273 Process Information: Process ID: 0xfd0 Process Name: C:\Windows\System32\LogonUI.exe479800138240-921436483760003481614144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:04 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:01 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa4c Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:55:01 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:00 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:55:00 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x220 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:59 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_0c68571f-159d-4e9c-81ec-a8505eee41cb Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_0c68571f-159d-4e9c-81ec-a8505eee41cb Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x2B296 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon ID: 0x2B296 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: HV-NEUTRON-8273 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: HV-NEUTRON-8273 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: HV-NEUTRON-8273 Error Code: 0x0477600143360-921436483760003481614129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:57 AMa3b2bd0b-182b-0000-3cbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:55 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:55 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:55 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:55 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:55 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:55 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:55 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:55 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:55 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481614119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2137E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:54 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481614107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432hv-neutron-82732/2/2022 11:54:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x220 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x220 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x220 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:53 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x594 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?02?-?02T11:54:52.064779800Z New Time: ?2022?-?02?-?02T11:54:52.730000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432hv-neutron-82732/2/2022 11:54:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:52 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812852hv-neutron-82732/2/2022 11:54:52 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x5d0 Process Information: Process ID: 0x510 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481614086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432hv-neutron-82732/2/2022 11:54:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:51 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:51 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:51 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:51 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-2376776370-2204618211-3899570595-513 Group Name: None Group Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -473700138260-921436483760003481614081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-513 Account Domain: HV-NEUTRON-8273 Old Account Name: None New Account Name: None Additional Information: Privileges: -478100138240-921436483760003481614080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-2376776370-2204618211-3899570595-513 Group Name: None Group Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473700138260-921436483760003481614079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-503 Account Name: DefaultAccount Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-503 Account Name: DefaultAccount Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-501 Account Name: Guest Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-501 Account Name: Guest Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-500 Account Name: Administrator Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-500 Account Name: Administrator Account Domain: HV-NEUTRON-8273 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -473500138260-921436483760003481614072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -478100138240-921436483760003481614071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -478100138240-921436483760003481614068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -478100138240-921436483760003481614065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -478100138240-921436483760003481614062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -478100138240-921436483760003481614059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -478100138240-921436483760003481614056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -478100138240-921436483760003481614053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -478100138240-921436483760003481614050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -473500138260-921436483760003481614048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -478100138240-921436483760003481614047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -478100138240-921436483760003481614044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -478100138240-921436483760003481614041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -473500138260-921436483760003481614039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -478100138240-921436483760003481614038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -478100138240-921436483760003481614035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -478100138240-921436483760003481614032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -478100138240-921436483760003481614029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -478100138240-921436483760003481614026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -478100138240-921436483760003481614023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -478100138240-921436483760003481614020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -473500138260-921436483760003481614018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -478100138240-921436483760003481614017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -478100138240-921436483760003481614014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -473500138260-921436483760003481614012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -478100138240-921436483760003481614011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -478100138240-921436483760003481614008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -478100138240-921436483760003481614005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -478100138240-921436483760003481614002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:50 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:39 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:39 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:39 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:39 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:39 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:39 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:39 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:39 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB68A Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:38 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB678 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:38 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB68A Linked Logon ID: 0xB678 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:38 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB678 Linked Logon ID: 0xB68A Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:38 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:38 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:38 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812900hv-neutron-82732/2/2022 11:54:38 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:37 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-NEUTRON-8273$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812844hv-neutron-82732/2/2022 11:54:37 AMa3b2bd0b-182b-0002-0fbd-b2a32b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x62A8490200135680-921436483760003481613983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812860hv-neutron-82732/2/2022 11:54:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812816hv-neutron-82732/2/2022 11:54:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity812816hv-neutron-82732/2/2022 11:54:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4508hv-neutron-82732/2/2022 11:54:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4508hv-neutron-82732/2/2022 11:54:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4384hv-neutron-82732/2/2022 11:54:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ac New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4384hv-neutron-82732/2/2022 11:54:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4384hv-neutron-82732/2/2022 11:54:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x288 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4384hv-neutron-82732/2/2022 11:54:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4512hv-neutron-82732/2/2022 11:54:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4512hv-neutron-82732/2/2022 11:54:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x210 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136hv-neutron-82732/2/2022 11:54:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4384hv-neutron-82732/2/2022 11:54:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136hv-neutron-82732/2/2022 11:54:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136hv-neutron-82732/2/2022 11:54:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5d4 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?02?-?02T11:54:23.426246800Z New Time: ?2022?-?02?-?02T11:54:23.420000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432WIN-5T344G8GM1H2/2/2022 11:54:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613967Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security13001548WIN-5T344G8GM1H2/2/2022 11:54:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:54:18 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:54:18 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:54:01 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 2/2/2022 11:54:01 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:54:01 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xb30 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:54:01 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-2376776370-2204618211-3899570595-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xb30 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:54:01 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x350 Process Information: Process ID: 0x49c Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481613960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4468WIN-5T344G8GM1H2/2/2022 11:53:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816888WIN-5T344G8GM1H2/2/2022 11:53:29 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816888WIN-5T344G8GM1H2/2/2022 11:53:29 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481613957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816888WIN-5T344G8GM1H2/2/2022 11:53:25 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x633FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816888WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816888WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816852WIN-5T344G8GM1H2/2/2022 11:53:24 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481613945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4468WIN-5T344G8GM1H2/2/2022 11:53:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:23 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:23 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:23 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:23 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x514 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?02?-?02T11:53:22.572672100Z New Time: ?2022?-?02?-?02T11:53:23.320000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4584WIN-5T344G8GM1H2/2/2022 11:53:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:22 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:22 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816888WIN-5T344G8GM1H2/2/2022 11:53:22 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816888WIN-5T344G8GM1H2/2/2022 11:53:22 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57671 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5765E Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57671 Linked Logon ID: 0x5765E Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5765E Linked Logon ID: 0x57671 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:14 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:13 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:13 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:13 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816892WIN-5T344G8GM1H2/2/2022 11:53:13 AM67a33277-182b-0005-7b32-a3672b18d801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x500EE490200135680-921436483760003481613918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816864WIN-5T344G8GM1H2/2/2022 11:53:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816820WIN-5T344G8GM1H2/2/2022 11:53:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity816820WIN-5T344G8GM1H2/2/2022 11:53:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H2/2/2022 11:53:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H2/2/2022 11:53:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H2/2/2022 11:53:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x250 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H2/2/2022 11:53:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H2/2/2022 11:53:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x290 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4588WIN-5T344G8GM1H2/2/2022 11:53:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x250 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4472WIN-5T344G8GM1H2/2/2022 11:53:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H2/2/2022 11:53:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4468WIN-5T344G8GM1H2/2/2022 11:52:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188WIN-5T344G8GM1H2/2/2022 11:52:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H2/2/2022 11:52:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H2/2/2022 11:52:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H2/2/2022 11:52:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity41980WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613901Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361144WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.464700125450-921436483760003481613900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:48:12 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -473900135690-921436483760003481613895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -473900135690-921436483760003481613891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe479800138240-921436483760003481613890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E31102041040462069321768212889613887Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361136WIN-5T344G8GM1H1/19/2018 9:47:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLog clearSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]